University of Baltimore School of Law's Center for International and Comparative Law Fellows discuss international and comparative legal issues

All’s Fair in Love and Cyberwar

A United States drone strikes a car near a gas station in Syria.[1] Inside that car, Junaid Hussain lays lifeless.[2] Though a seemingly normal 21-year-old British man with an education and a wife, Junaid possessed exceptional computer hacking skills and ties to ISIS’s cyber division.[3] Instead of the United States sending a sniper to take out Junaid, a person used his or her trigger finger to direct the drone strike from a computer miles away from the gas station.[4] Throughout history, technology has drastically changed warfare. The advances in cyberspace technology are no exception and the law is struggling to keep up.

While country-on-country cyber-attacks have made headlines in the 21st century, such attacks can be dated as far back as the Cold War.[5] In June 1984, a United States satellite detected a large blast in Siberia.[6] That blast turned out to be an explosion on a Soviet gas pipeline.[7] A malfunction in the computer-controlled system that the Soviets stole from a firm in Canada caused the explosion.[8] Unware to them, the CIA caused the malfunction by tampering with the software, resetting the pump and valve settings to produce pressures far beyond the capabilities of the pipeline welds, which ultimately resulted in destruction.[9]

The most recent and controversial cyber-attack resulted in WikiLeaks publishing a series of confidential emails exchanged between several key members of the Democratic National Committee.[10] The release negatively impacted the Democratic Party in the public eye and resulted in the call for resignation from the DNC chairperson, the CEO, the CFO, and the Communications Director.[11] Despite President Trump’s initial accusation, these hackers are not just 400 pound guys in a basement; they are sophisticated and, potentially, dangerous adversarial governments.[12]

The United States accused Russian President Vladimir Putin of ordering an “influence campaign” aimed at weakening Hilary Clinton’s campaign and strengthening Donald Trump’s.[13] The campaign consisted of hacking Democratic groups and individuals and releasing that information via third party websites, including WikiLeaks.[14] Intelligence agencies concluded with high confidence that Russia had intended to undermine American faith in the electoral system by hurting Hilary Clinton’s chances of winning.[15] As a result, in December 2016, America responded with what was arguably its strongest response yet to a state sponsored cyberattack.[16] “All Americans should be alarmed by Russia’s actions” stated Former President Obama.[17] While there is partisan disagreement about the scope and intent of the Russian cyber-attack on the 2016 United States Presidential Election, 77% of Americans from a wide variety of political backgrounds believe that cyber-attacks against computer systems in the United States are a serious threat.[18] Meanwhile, 63% of Americans believe that the United States is not adequately prepared to deal with these cyber threats.[19]

While President Trump has repeatedly stated that the Russian hacking had no influence on the outcome of the election, it is becoming clear that cyber-attacks are becoming more prevalent and powerful.[20] Intelligence agencies reported that the Russian election intervention is an old-fashioned Soviet-style propaganda campaign made more powerful by the tools of cyberage.[21] While it may seem like this was a onetime event and new attack, it was actually a part of a campaign that went undetected for years.[22]

The same international laws apply to cyberspace as they do to traditional warfare domains. Yet, cyber-attacks are difficult for the international community to analyze due to their complexity and secrecy. In response to this challenge, the NATO Cyber Centre wrote the Tallinn Manual on the International Law Applicable to Cyber Warfare.[23] Applying the principles of the international law of war in cyberspace, the manual has been the primary guide for armed conflicts.[24] According to the principles in the manual, the Russian cyber-attacks on the DNC are below the threshold of an armed conflict.[25] On the other hand, if Russia had destroyed America’s cyber infrastructure, it would likely be enough to be a use of force and thus a violation.[26]

Yet others experts, such as the chairman of the U.S. Naval War College’s international law department Michael Schmidt, believe that the DNC hack was in fact a violation of international law.[27] For example, the hack could have threatened U.S. sovereignty.[28] The hackers attempted to intervene into the internal fairs of the United States affairs, which includes running elections.[29] However, there would need to be proof that Russia not only stole information but used the information to manipulate election results.[30]

Therefore, the DNC hacks still lie in a legal gray zone. While the Tallinn Manual provides excellent guidance on applying international law in cyberspace, the Tallinn Manual 2.0 is in the works to expand upon it.[31] The goal of this additional manual is to examine how international law applies to cyber-attacks below the threshold on an armed conflict.[32] Until then, clever nations will continue to use cyber-attacks, like the DNC hack, to cause harmful effects but not cross the line that would trigger an armed response.[33]

Elizabeth Hays is a third year law student at the University of Baltimore School of Law. She completed her undergraduate studies at the University of Baltimore, where she majored in Jurisprudence. Her legal interests include administrative law, national security law, and maritime law. Elizabeth has previously interned with the U.S. Army JAG Corps and the U.S. Coast Guard JAG Corps. Additionally, she participated in the winter study abroad program in Curaçao in 2015/16. She is currently the Co-President of University of Baltimore Students for Public Interest (UBSPI) and a Staff Editor for University of Baltimore Law Forum.

One thought on “All’s Fair in Love and Cyberwar”

I find the lack of international law in the realm of cyber warfare to be fascinating and also alarming. Do you think that there would be a good argument to make the Tallinn Manual at least a good starting point for countries to reference to if a cyberattack occurs? I think one argument that supports this is the fact the international experts took existing international laws and applied it to the constantly changing cyber realm. In my opinion, I believe the threats like Stuxnet in Iran and the various hackings of dams in the United States from abroad certainly calls for the international community to take this non-binding document and make it into something more relevant.